This paper presents a new approach to representing and detecting computer penetrations in real-time. The approach, called state transition analysis, models penetrations as a series of state changes that lead from an initial secure state to a target compromised state. State transition diagrams, the graphical representation of penetrations, identify precisely the requirements for and the compromise of a penetration and present only the critical events that must occur for the successful completion of the penetration. State transition diagrams are written to correspond to the states of an actual computer system, and these diagrams form the basis of a rule-based expert system for detecting penetrations, called the State Transition Analysis Tool (STAT). The design and implementation of a UNIX-specific prototype of this expert system, called USTAT, is also presented. This prototype provides a further illustration of the overall design and functionality of this intrusion detection approach. Lastly, STAT is compared to the functionality of comparable intrusion detection tools.

This paper describes an expert system development toolset called the Production-Based Expert System Toolset (P-BEST) and how it is employed in the development of a modern generic signature-analysis engine for computer and network misuse detection. For more than a decade, earlier versions of P-BEST have been used in intrusion detection research and in the development of some of the most wellknown intrusion detection systems, but this is the first time the principles and language of P-BEST are described to a wide audience. We present rule sets for detecting subversion methods against which there are few defenses--- specifically, SYN flooding and buffer overruns---and provide performance measurements. Together, these examples and performance measurements indicate that P-BEST-based expert systems are well suited for real-time misuse detection in contemporary computing environments. In addition, the simplicity of the P-BEST language and its close integration with the C programming language ...

There is widespread concern that large-scale malicious attacks on computer networks could cause serious disruption to network services. We present the design of GrIDS (Graph-Based Intrusion Detection System). GrIDS collects data about activity on computers and network traffic between them. It aggregates this information into activity graphs which reveal the causal structure of network activity. This allows large-scale automated or co-ordinated attacks to be detected in near real-time. In addition, GrIDS allows network administrators to state policies specifying which users may use particular services of individual hosts or groups of hosts. By analyzing the characteristics of the activity graphs, GrIDS detects and reports violations of the stated policy. GrIDS uses a hierarchical reduction scheme for the graph construction, which allows it to scale to large networks. An early prototype of GrIDS has successfully detected a worm attack. Keywords: Intrusion detection, networks, informatio...

Intrusion Detection systems (IDSs) have previously been built by hand. These systems have difficulty successfully classifying intruders, and require a significant amount of computational overhead making it difficult to create robust real-time IDS systems. Artificial Intelligence techniques can reduce the human effort required to build these systems and can improve their performance. Learning and induction are used to improve the performance of search problems, while clustering has been used for data analysis and reduction. AI has recently been used in Intrusion Detection (ID) for anomaly detection, data reduction and induction, or discovery, of rules explaining audit data. We survey uses of artificial intelligence methods in ID, and present an example using feature selection to improve the classification of network connections. The network connection classification problem is related to ID since intruders can create "private" communications services undetectable by normal means. We als...

Abstract not found

An Intrusion Detection System (IDS) seeks to identify unauthorized access to computer systems' resources and data. The most common analysis tool that these modern systems apply is the operating system audit trail that provides a fingerprint of system events over time. In this research, the Basic Security Module auditing tool of Sun's Solaris operating environment was used in both an anomoly and misuse detection approach. The anomoly detector consisted of the statistical likelihood analysis of system calls, while the misuse detector was built with a neural network trained on groupings of system calls. This research demonstrates the potential benefits of combining both aspects of detection in future IDS's to decrease false positive and false negative errors. 1 Introduction Over the past several years, computer attacks and break-ins have become commonplace. Numerous attacks have been successfully launched on government installations, company systems, and personal user accounts resulting...

ion Module (IAM) : : : : : : : : : : : 6 2.2.1.6 JiNao Management Information Base (JiNaoMIB) : : : : : : 6 2.2.2 Remote Subsystem : : : : : : : : : : : : : : : : : : : : : : : : : : : : 6 2.2.3 Management Information Exchange Protocol : : : : : : : : : : : : : : 7 2.3 Interfaces Between Modules : : : : : : : : : : : : : : : : : : : : : : : : : : : 7 3 Design Objectives 12 3.1 Comprehensiveness : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 13 3.2 Scalability : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 13 3.3 Interoperability : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 13 4 Functional Description 14 4.1 Local Subsystem : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 14 4.1.1 Interception/Redirection Module : : : : : : : : : : : : : : : : : : : : 14 4.1.2 Prevention Module : : : : : : : : : : : : : : : : : : : : : : : : : : : : 16 4.1.2.1 Prevention Layer : : : : : : : : : : : : : : : : : : : : ...

This paper proposes a framework for deriving users' profiles of typical behaviour and detecting atypical transactions which may constitute fraudulent events or simply a change in user's behaviour. The anomaly detection problem is presented and previous attempts to address it are discussed. The proposed approach proves that individual users profiles can be constructed and provides an algorithm that derives users' profiles and an algorithm to identify atypical transactions. Lower and upper bounds for the number of misclassifications are also provided. An evaluation of this approach is discussed and some issues for further research are outlined. 1

Distributed intrustion detection systems detect attacks on computer systems by analyzing data aggregated from distributed sources. The distributed nature of the data sources allows patterns in the data to be seen that might not be detectable if each of the sources were examined individually. This paper describes the various approaches that have been developed to share and analyze data in such systems, and discusses some issues that must be addressed before fully decentralized distributed intrusion detection systems can be made viable.

This paper presents a new approach to representing and detecting computer penetrations in real-time. The approach, called state transition analysis, models penetrations as a series of state changes that lead from an initial secure state to a target compromised state. State transition diagrams, the graphical representation of penetrations, identify precisely the requirements for and the compromise of a penetration and present only the critical events that must occur for the successful completion of the penetration. State transition diagrams are written to correspond to the states of an actual computer system, and these diagrams form the basis of a rule-based expert system for detecting penetrations, called the State Transition Analysis Tool (STAT). The design and implementation of a UNIX-specific prototype of this expert system, called USTAT, is also presented. This prototype provides a further illustration of the overall design and functionality of this intrusion detection approach. La...